WebApps/Observium_CE
1
0
Fork 0
Code Pull Requests Activity
Observium_CE/mibs/a3com/A3Com-IPSO-r1-MIB

628 lines
27 KiB
Plaintext
Raw Blame History

-- Copyright 1995 by 3Com Corporation. All rights reserved.
-- MIB file name: a3Com-ipso
-- available in these 3Com devices: NETBuilder bridge/routers
-- For support or more info, check 3Com's web page at http://www.3com.com
A3Com-IPSO-r1-MIB DEFINITIONS ::= BEGIN
IMPORTS
enterprises
FROM RFC1155-SMI
OBJECT-TYPE
FROM RFC-1212;
--
-- This MIB is for 3Com systems that support IP security options
--
--
a3Com OBJECT IDENTIFIER ::= { enterprises 43 }
brouterMIB OBJECT IDENTIFIER ::= { a3Com 2 }
a3ComIPSO OBJECT IDENTIFIER ::= { brouterMIB 12 }
RowStatus ::= INTEGER {
-- the following two values are states
-- these values can be read or written
active(1),
notInService(2),
-- the following value is a state:
-- this value may be read, but not written
notReady(3),
-- the following three values are actions
-- these values can be written, but are never read
createAndGo(4),
createAndWait(5),
destroy(6)
}
--This data type, which has the same semantics as the RowStatus
--textual convention used in SNMPv2, is used to add and
--delete entries from a table.
--
--The tables in this MIB allow a subset of the functionality
--provided by the RowStatus textual convention. In particular
--row creation is allowed using only the createAndGo method.
--
--That is, when adding entries to this table, this object
--must be set to createAndGo(4). The instance identifier
--for this object will define the values of the columns
--that make up the index.
--
--In the same PDU, the appropriate remaining columns
--of that row must be set as well. The agent
--will immediately set the value of this object to
--active(1) if the row is correct. If not, the agent
--will refuse the SET request and return an
--error code.
--
--To modify an existing entry, it must be removed
--an another entry with the desired changes added.
--
--To remove an entry, set the value of this object
--to destroy(6).
a3IPsecureCtl OBJECT-TYPE
SYNTAX INTEGER {
security1108 (1),
security1038 (2),
noSecurity (3)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This object determines whether this system checks
for IP security options. If this object has the value
security1108 (1), then the system checks for IP security
options (per rfc1108) in each received IP packet and handles
them accordingly. If this object has the value security1038 (2),
then the system checks and acts on IP security options per
rfc1038. If this object has the value noSecurity (3), the
system does not check for IP security options."
DEFVAL { noSecurity }
::= { a3ComIPSO 1 }
a3IPsecureFileServer OBJECT-TYPE
SYNTAX INTEGER {
yes (1),
no (2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This determines whether security options are processed
when talking to the host identified by the UI parameter
FileServerAddr. If set to yes (1), the File Server is
treated like any other host on the network. If set to
no (2), the File Server is treated specially. Any security
options received from this IP address are ignored. Also, all
basic security options are stripped before sending a packet
to the File Server."
DEFVAL { no }
::= { a3ComIPSO 2 }
--
-- This next table contains port specific IP security parameters
--
a3IPsecureParamTable OBJECT-TYPE
SYNTAX SEQUENCE OF A3IPsecureParamEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"This table contains a set of parameters relating
to the configuration of IP security options."
REFERENCE
"RFC 1108, Security Options for the Internet Protocol."
::= { a3ComIPSO 3 }
a3IPsecureParamEntry OBJECT-TYPE
SYNTAX A3IPsecureParamEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Each entry in this table contains a set of IP security
parameters specific to a particular port."
INDEX { a3IPsecureParamPortIndex }
::= { a3IPsecureParamTable 1 }
A3IPsecureParamEntry ::=
SEQUENCE {
a3IPsecureParamPortIndex INTEGER,
a3IPsecureParamCtl INTEGER,
a3IPsecureLabelDefaultLevel INTEGER,
a3IPsecureLabelDefaultAuth INTEGER,
a3IPsecureLabelSysLevel INTEGER,
a3IPsecureLabelSysAuth INTEGER,
a3IPsecureMinLevel INTEGER,
a3IPsecureMaxLevel INTEGER
}
a3IPsecureParamPortIndex OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"This identifies the IP port to which the security
parameters in this entry apply."
::= { a3IPsecureParamEntry 1 }
a3IPsecureParamCtl OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This object controls a number of parameters associated
with IP security. Each parameter is represented by
a specific bit. If the bit is set, the parameter is
turned on. If the bit is not set, the parameter is
turned off. The state of all the parameters is represented
by a sum of all the bits, the value of each bit being
multiplied by 2 raised to the power of the position
of the bit in the integer.
With bit 0 being the least significant bit, the table
below defines the mapping of security parameters to bits.
bit # Parameter
0 Extended
1 BasicFirst
2 LabelAdd
3 LabelStrip
If bit 0 is set, the Extended parameter is turned on.
This allows datagrams with extended security options to be
received and/or transmitted from this port.
If bit 1 is set, the BasicFirst parameter is turned on. This
indicates that the basic security option is always transmitted
as the first option in the datagram, even if the packet
has to be rearranged. If this bit is not set, the datagram
options are sent as is.
If bit 2 is set, the LabelAdd parameter is turned on. This
ensures that all datagrams leaving this port have a label
attached to them. If an outgoing datagram does not have
a label, the default label, computed for the datagram
on receipt, is attached to it before transmission. If this
parameter is turned off, then datagrams without labels are
allowed to be transmitted, and the default label is not
attached to the datagram.
If bit 3 is set, the LabelStrip parameter is turned on. In
this case, any basic security option present in the datagram
is stripped before transmission through this port. The
stripping is done after all the security processing has been
done. If this parameter is turned off, the label is transmitted
as is."
DEFVAL { 0 }
::= { a3IPsecureParamEntry 2 }
a3IPsecureLabelDefaultLevel OBJECT-TYPE
SYNTAX INTEGER {
none (1),
topSecret (2),
secret (3),
confidential (4),
unclassified (5)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This parameter applies to packets received over this port
that have no classification level or authority flags.
When such packets are received, the value of this parameter
determines the IP security level that is attached to the
packet before any processing is done.
If this is set to none (1), any packet that is received
without a security level defined in the IP header options
is discarded.
If this is set to any other value, any packet received
without a security level defined in the IP header options
will have one added according to the value of this object.
A Protection Authority field will also be added to these
packets. The contents of the field is determined by the
value of a3IPsecureLabelDefaultAuth.
Note, this does not imply that the label will be automatically
attached to the packet on transmission. This is controlled
by the value of a3IPsecureParamCtl -- specifically, the value
of the LabelAdd bit"
DEFVAL { none }
::= { a3IPsecureParamEntry 3 }
a3IPsecureLabelDefaultAuth OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Like a3IPsecureLabelDefaultLevel, this parameter applies
only to packets received over this port that have no
classification level or authority flags. When such
packets are received, the value of this parameter determines
the Protection Authority flag field that is attached to
the packet before any processing is done.
The individual Protection Authority flags that are included
are determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object will be placed in the Protection Authority field of
received packets with no IP security options present. (note:
this is conditioned on a3IPsecureLabelDefaultLevel for this
port having a value other than none (1).)
If this object has the value 0, then no Protection Authority
field will be added to any received packets, regardless of the
value of a3IPsecureLabelDefaultLevel."
DEFVAL { 0 }
::= { a3IPsecureParamEntry 4 }
a3IPsecureLabelSysLevel OBJECT-TYPE
SYNTAX INTEGER {
none (1),
topSecret (2),
secret (3),
confidential (4),
unclassified (5)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This parameter applies to packets originated by this system
and sent over this port. When such packets are sent, the
value of this parameter determines the IP security level that
is attached to the packet before any processing is done.
If this is set to none (1), no IP security information
is added to these packets.
If this is set to any other value, any packet originated
by this system and sent over this port will have an IP security
level added according to the value of this object.
A Protection Authority field will also be added to these
packets. The contents of the field is determined by the
value of a3IPsecureLabelSysAuth.
The security level and Protection Authority flag field
must form a label which is legal for transmission on this
port. The range of legal values for the security level is
defined by a3IPsecureMaxLevel and a3IPsecureMinLevel.
The set of legal Protection Authority flags is determined
by the entries in a3IPsecureAuthOutTable."
DEFVAL { unclassified }
::= { a3IPsecureParamEntry 5 }
a3IPsecureLabelSysAuth OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-write
STATUS mandatory
DESCRIPTION
"Like a3IPsecureLabelSysLevel, this parameter applies
only to packets originated by this system and sent over
this port. When such packets are sent, the value of this
parameter determines the Protection Authority flag field
that is attached to the packet before any processing is
done. Note, this is assuming a3IPsecureLabelSysLevel has
a value other than none (1).
The individual Protection Authority flags that are included
are determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object will be placed in the Protection Authority field of
received packets with no IP security options present. (note:
this is conditioned on a3IPsecureLabelDefaultLevel for this
port having a value other than none (1).)
If this object has the value 0, then no Protection Authority
field will be added to any received packets, regardless of the
value of a3IPsecureLabelDefaultLevel."
DEFVAL { 128 }
::= { a3IPsecureParamEntry 6 }
a3IPsecureMinLevel OBJECT-TYPE
SYNTAX INTEGER {
topSecret (1),
secret (2),
confidential (3),
unclassified (4)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This defines the minimum classification level which
is acceptable by this port. This applies to any packet
which is entering or leaving this port. If the
classification level is outside the range defined by
the value of this object and the value of a3IPsecureMaxLevel,
the packet is discarded.
If a3IPsecureMaxLevel is set to level less than the level
indicated by this object, the value of this object will
be shifted so it is equal to a3IPsecureMaxLevel. This
will ensure that the range of security levels identified
by these two objects makes sense."
DEFVAL { unclassified }
::= { a3IPsecureParamEntry 7 }
a3IPsecureMaxLevel OBJECT-TYPE
SYNTAX INTEGER {
topSecret (1),
secret (2),
confidential (3),
unclassified (4)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This define the maximum classification level which
is acceptable by this port. This applies to any packet
which is entering or leaving this port. If the
classification level is outside the range defined by
the value of this object and the value of a3IPsecureMinLevel,
the packet is discarded.
If a3IPsecureMinLevel is set to a level greater than the
level identified by this object, the value of this object
will be shifted so it is equal to a3IPsecureMinLevel."
DEFVAL { unclassified }
::= { a3IPsecureParamEntry 8 }
--
-- This next table defines all combinations of Protection Authority flags which
-- are allowed to be present in any packet received by a particular port.
--
a3IPsecureAuthInTable OBJECT-TYPE
SYNTAX SEQUENCE OF A3IPsecureAuthInEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"This table enumerates all the combinations of Protection
Authority flags that may be present in packets received
over any of this system's ports."
::= { a3ComIPSO 4 }
a3IPsecureAuthInEntry OBJECT-TYPE
SYNTAX A3IPsecureAuthInEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Each entry in this table contains a specific combination
of Protection Authority flags that are acceptable in packets
received over a specific port."
INDEX { a3IPsecureAuthInPort,
a3IPsecureAuthInFlags }
::= { a3IPsecureAuthInTable 1 }
A3IPsecureAuthInEntry ::= SEQUENCE {
a3IPsecureAuthInPort INTEGER,
a3IPsecureAuthInFlags INTEGER,
a3IPsecureAuthInMatch INTEGER,
a3IPsecureAuthInStatus RowStatus
}
a3IPsecureAuthInPort OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"This identifies the port to which this entry applies."
::= { a3IPsecureAuthInEntry 1 }
a3IPsecureAuthInFlags OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"This identifies one combination of Protection Authority
flags that is allowed to be present in any packet
received by this port.
The combination of Protection Authority flags that is
allowed is determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object must be present in any received IP packet.
If the value of this object is zero, packets with no
Protection Authority flags are accepted by this port."
::= { a3IPsecureAuthInEntry 2 }
a3IPsecureAuthInMatch OBJECT-TYPE
SYNTAX INTEGER {
exact (1),
any (2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The value of this object determines whether the
Protection Authority flags in a received packet
must match the flags identified by the corresponding
instance of a3IPsecureAuthInFlags exactly, or if they
only have to match a subset of those flags.
If the value of this object is exact (1), the match must
be exact. If this object has the value any (2), only
a subset of the flags has to match."
DEFVAL { any }
::= { a3IPsecureAuthInEntry 3 }
a3IPsecureAuthInStatus OBJECT-TYPE
SYNTAX RowStatus
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This object is used to add and delete entries
in this table. See the notes describing
RowStatus at the beginning of this MIB."
::= { a3IPsecureAuthInEntry 4 }
--
-- This next table defines all combinations of Protection Authority flags which
-- are allowed to be present in any packet sent by a particular port.
--
a3IPsecureAuthOutTable OBJECT-TYPE
SYNTAX SEQUENCE OF A3IPsecureAuthOutEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"This table enumerates all the combinations of Protection
Authority flags that are allowed to be present in packets
transmitted over any of this system's ports. This does not
apply to packets generated by this system."
::= { a3ComIPSO 5 }
a3IPsecureAuthOutEntry OBJECT-TYPE
SYNTAX A3IPsecureAuthOutEntry
ACCESS not-accessible
STATUS mandatory
DESCRIPTION
"Each entry in this table contains a specific combination
of Protection Authority flags that are acceptable in packets
transmitted over a specific port."
INDEX { a3IPsecureAuthOutPort,
a3IPsecureAuthOutFlags }
::= { a3IPsecureAuthOutTable 1 }
A3IPsecureAuthOutEntry ::= SEQUENCE {
a3IPsecureAuthOutPort INTEGER,
a3IPsecureAuthOutFlags INTEGER,
a3IPsecureAuthOutMatch INTEGER,
a3IPsecureAuthOutStatus RowStatus
}
a3IPsecureAuthOutPort OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"This identifies the port to which this entry applies."
::= { a3IPsecureAuthOutEntry 1 }
a3IPsecureAuthOutFlags OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"This identifies one combination of Protection Authority
flags that is allowed to be present in any packet
transmitted by this port.
The combination of Protection Authority flags that is
allowed is determined by the individual bits that are set
in the value of this object, with the two least significant
bytes being of interest. Starting from bit 7 of the
INTEGER (with the least significant bit being numbered 0),
the mapping of bits to Protection Authority flags is as
follows (note: rfc1108 labels the most significant bit '0',
the next most significant bit '1', etc),
bit# Prot. Auth. Flag
7 GENSER
6 SIOP
5 SCI
4 NSA
3 DOE
While only bits 7 through 3 have specific Protection Authority
flags assigned to them, any 2 byte combination of bits may be
set as long as that combination is allowed by rfc1108. The
same 1 or 2 byte pattern of bits identified by the value of this
object is allowed to be present in any transmitted IP packet.
If the value of this object is zero, packets with no
Protection Authority flags are allowed to be transmitted
by this port."
::= { a3IPsecureAuthOutEntry 2 }
a3IPsecureAuthOutMatch OBJECT-TYPE
SYNTAX INTEGER {
exact (1),
any (2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The value of this object determines whether the
Protection Authority flags in a received packet
must match the flags identified by the corresponding
instance of a3IPsecureAuthOutFlags exactly, or if they
only have to match a subset of those flags.
If the value of this object is exact (1), the match must
be exact. If this object has the value any (2), only
a subset of the flags have to match."
DEFVAL { any }
::= { a3IPsecureAuthOutEntry 3 }
a3IPsecureAuthOutStatus OBJECT-TYPE
SYNTAX RowStatus
ACCESS read-write
STATUS mandatory
DESCRIPTION
"This object is used to add and delete entries
in this table. See the notes describing
RowStatus at the beginning of this MIB."
::= { a3IPsecureAuthOutEntry 4 }
END
View Git Blame Copy Permalink